Talos Vulnerability Report

TALOS-2017-0427

Computerinsel Photoline SVG Parsing Code Execution Vulnerability

October 4, 2017

CVE Number

CVE-2017-2920

Summary

An memory corruption vulnerability exists in the .SVG parsing functionality of Computerinsel Photoline 20.02. A specially crafted .SVG file can cause a vulnerability resulting in memory corruption, which can potentially lead to arbitrary code execution. An attacker can send a specific .SVG file to trigger this vulnerability.

Memset function is executed with a size parameter that can be controlled by attacker.
The size parameter is calculated from the SVG Path's D attribute which is a string containing
a series of path descriptions (in this case Curveto). This value is later converted from float
to int and then later used for multiplication purposes (instruction at 0x00822E0E).

In this case the bug requires the feGaussianBlur filter to be attached to the path style.